Embedded Control Systems Design/Hostile Environment

Hostile environment is understood as every possible factor that prevents a system (of any complexity or at any level) from performing its function correctly.

As an embedded systems designer one should make sure that hostile environment is taken in account during the development stage. Although existing systems encountering hostile environments can perfectly be protected as well, it is helpful to take hostile environment into consideration already in the design stage, in order not to introduce hostile environment yourself by faulty system design. Apart from their positive effect on system performance, the countermeasures to hostile environments may have negative effects on other system parameters, e.g. rising economical cost, weight, power consumption, etc. But even if a design contains the necessary countermeasures to hostile environment, a failure of the system is not always inevitable. In case of failure, there are several manners in which a system fails. That is where failure modes turn up. When countermeasures against hostile environment fail, the failure modes need to be observed in a correct way.

In this section we will try to present some basic design rules to deal with hostile environment.

Adjustment of embedded control systems by end users in order to alter performance of a device (e.g. tuning the electronic control unit or engine control unit (ECU) of a car can devastate its exhaust emissions performance)

EMC is broadly discussed on Wikipedia. Here we make a brief summary of the phenomenon in order to get as soon as possible to the design countermeasures. The proper functionality of an electrical device might be influenced by unwanted generation, propagation or reception of electromagnetic radiation. Electromagnetic radiation can thus form a hostile environment. In order not to get influenced by electromagnetic radiation a device needs to be electromagnetically compatible with its environment. EMC can be divided in two phenomena: emission and immunity. This subdivision means that a device shouldn’t emit to much radiation but on the other hand should be immune to the radiation emitted by others. It is a design requirement for embedded control systems to overcome these two phenomena. In the European Union it is advised by EU directive 2004/108/CE to check a device for EMC before placing a CE-label.

Electromagnetic radiation originated at the sun’s surface can reach earth’s atmosphere and interfere with terrestrial communication. Professor Paul Kintner Jr. en Alessandro Cerruti (Cornell University [1]) discovered that GPS signals were interrupted for several minutes on the dayside of the earth due to solar flares. There is only a minor inconvenience for automotive navigation, but it can be dangerous for aerospace navigation and stabilization of oil rigs. Aerospace industries have built in redundancy by using gyroscopes as a backup. In fact the gyro’s date from the pre GPS era. Also the more expensive automotive navigation systems can be equipped with gyro’s as a backup in tunnels where the signal is low. In future designs of aerospace embedded control systems the designer should concern about these solar flares as they are expected to cut the GPS signal for several hours in the years 2011-2012.

As explained before, EMC problems manifest at two domains: i.e. emission and immunity. It is self-explanatory that countermeasures can be made at both domains. Furthermore, a countermeasure to emission is often as effective as to the immunity of the device and the other way around.

Decoupling capacitors ( 1 to 100 µF) (small localized energy reservoir; these supply the circuit with current during transient, high current demand periods, preventing the voltage on the power supply rail from being pulled down by the momentary current load) (Line filter, Signal filter)

RF chokes: Choke coils are inductances that isolate alternating current from certain areas of a radio circuit.

Shield Housings and lines: always exist out of conducting material. Although not all conducting materials are metals, shield housings mostly are made out of metal. Electromagnetic shields act as Faraday’s cages. Faraday’s cages shield electromagnetic radiation from the inside to the outside en the other way around, thus providing mutual protection. The mesh size of the cage should be smaller than the wavelengths to be blocked. Applications of Faraday’s cages are

A microwave oven is equipped with a grid in front of the window. The mesh size of this grid is smaller than the wavelength of typical microwaves (1mm – 1m). However, visible light (400-700 nm) can still pass trough in order to offer the user a clear view of the food being processed.

Plastic housings don’t act as a Faraday’s cage, but are aesthetically more suitable for consumer products than metal housings. Both aesthetics and EMC can be combined by coating a plastic housing with a metallic spray on the inside. Make sure that antenna’s have a proper access to the outside world of this housing.

Shoplifters often wrap the RFID chip in aluminium foil. That forms a Faraday’s cage as well, preventing the alarm from being triggered.

US passports are equipped with an RFID chip that can be read remotely at airport customs. However, to protect the owner's privacy, this passport shouldn’t be read at any time. That’s why these passports are provided in a shielding sleeve, acting as a Faraday’s cage.

Avoid antenna structures in PCB Design, such as loops of circulating current or unbalanced transmission lines.

Keep in mind that radio communication (GPS, etc.) can be interrupted by nature (solar flares) or by humans (military enemies, terrorists). Therefore in systems of vital importance, (e.g. airplanes, military vehicles) one should build in some redundancy. In the specific case of GPS navigation gyroscopes are often used to overcome dead signal periods.

Raise the transmitting power of the signal source. Note that this can be constrained by health regulations.

Implement weak signal-tracking algorithms in the receivers, so that they can detect a signal in worse circumstances such as solar winds. Mind that this measure can contradict other parameters, e.g. the economical cost, weight, power consumption, etc. of the receiver.

A power interruption can take from several milliseconds to several hours or even days. Long blackouts can be overcome by installation of an uninterruptible power supply (UPS). Al sorts and sizes of UPS’s are available. For small electronic devices a battery will do the job, for large plants, hospitals and systems of systems (telecommunication networks) diesel generators are commonly used. Selection and control of UPS’s is a discipline in itself and is widely available on the web and in literature.

When the supply voltage only reduces for a couple of milliseconds, it is referred to as a voltage dip or a dropout. These short interruptions are far more frequent than long time blackouts. According to [Schneider, p. 51-58] interruptions of 10ms are likely to occur every 200h in contrast to long time interruptions that occur around once every 10,000h. Voltage dips could lead to production halts that last much longer than the dip itself. According to [Terörde, p. 282] voltage dips of 100ms duration can lead to production halts of 24 hours.

Drives of electric AC motors are very sensitive to voltage dips. The AC engine itself can perfectly cope with a transient in the supply. There is DC bus between de AC supply and the AC motor which contains a large capacitor to flatten the DC. When a voltage dip occurs at the supply side, the energy in this capacitor is consumed by the motor within a few milliseconds. The control loops of the engine drive draw their power from this DC bus. As soon as this DC bus goes under a predetermined voltage, the inverter shuts down in order to avoid possible damage. With an offline controller, the motor and production process remain uncontrolled, which can cause economical damage.

One might enlarge the capacitor in the DC link. But this capacitor is already a major cost item. Enlarging it would make the drive even more expensive. Furthermore one might wonder if there exists any capacitor that can feed the hunger of multi-kW electromotors.

Ride-through scheme or kinetic buffering: The most interesting way of overcoming a voltage dip is to recover mechanical energy stored in the rotating masses of the motor and its load. In case of a voltage dip, the motor will be used in generator mode and will generate a minor amount of electrical power to maintain the DC bus and to keep the control logic alive. Actually this comes down to regenerative breaking. In essence there’s a dip detection mechanism that activates a preprogrammed ride-through scheme. This reverses the power flow in a matter of milliseconds. Of course the motor will slow down as this is regenerative breaking. The amount of kinetic energy in the motor is exhaustive, but should suffice for the duration of the voltage dip. When the power failure persists the motor will lose all its mechanical energy and won’t be able to restart. Eventually the control logic will shut down. But at least the process could be halted in a controlled way, without major damage. This concept is innovative and not yet common practice in the industries, but it could be in the future. Extensive explanations can be found in [Terörde p. 283].